Wireless Access Protocol (WAP) was developed in 1997 by a consortium of major cell phone manufacturers and wireless technology providers such as, Nokia, Ericsson, Motorola, and Unwired Planet. WAP is a global standard that is currently available under two major versions: WAP 1.x and WAP 2.x.
In a traditional wireless communications system using WAP 1.0, a mobile device running WAP-complaint software accesses a WAP gateway through a wireless carrier (e.g., Sprint, Cingular, Verizon, etc.). The WAP-compliant gateway receives data from the mobile device in a WAP-compliant format and converts the data into a format serviceable by a standard web server (e.g., HTTP web server). For example, data in WSP and WTP format is converted to HTTP format before being sent to a web server. Data in WDP format is converted to TCP format before being sent to the web server.
For security, a WTLS protocol is used to protect the data being sent from the mobile device to the WAP gateway using encryption. Meanwhile, SSL protects the data being sent from the WAP gateway to the web server. Therefore, the WAP gateway decrypts the data and then re-encrypts the data to convert from the WTLS protocol to the SSL protocol. It is during this time that the integrity of the end-to-end security of the WAP 1.x compliant system is compromised. This situation is known as the “WAP gap.”
The “WAP gap” results because WAP 1.x uses a proxy-based security architecture which lacks true end-to-end security. Although the WAP consortium resolved the “WAP gap” in WAP 2.0 and subsequent versions by designing the WAP-2.0 compliant user device to transmit data in TCP/IP format such that the WAP gateway (or WAP proxy) need not convert between varying protocol layers, there are still many WAP-1.x compliant devices on the market.
In many cases, the user of a wireless device may not be aware that his or her mobile device is not providing end-to-end security (e.g., is not WAP 2.0-compliant). In another example, a user of a wireless device that is in a roaming mode on another carrier network may not be aware that the temporary carrier is not providing end-to-end security. Furthermore, some vendors such as Phone.com and RSA provide custom WAP 1.x gateways that overcome the “WAP gap” end-to-end security integrity issue, however, an end user may not be aware of the specific WAP gateways used by its carrier and other carriers. Therefore, there is a need in the art to identify when true end-to-end security is not available to a mobile banking customer and to respond accordingly.